Computer Engineering and Applications ›› 2011, Vol. 47 ›› Issue (19): 63-67.

• 网络、通信、安全 • Previous Articles     Next Articles

Effective approach to re-engineering of protocol’s state machine model

TIAN Yuan,LI Jianbin,ZHANG Zhen   

  1. School of Software,Dalian University of Technology,Dalian,Liaoning 116620,China
  • Received:1900-01-01 Revised:1900-01-01 Online:2011-07-01 Published:2011-07-01

一种逆向分析协议状态机模型的有效方法

田 园,李建斌,张 振   

  1. 大连理工大学 软件学院,辽宁 大连 116620

Abstract: Protocol reverse engineering is important to both trusted software verification,protection and malware analysis.Because of protocol’s complexity,it’s particularly helpful to reconstruct high-level model which is consistent with the protocol’s source code among which the Finite State Machine(FSM) model is the most widely used.This paper proposes an efficient method to reconstruct network protocol’s FSM model from the recorded transcripts and execution traces in protocol’s sessions via decompilation and enhanced formal analysis/verification techniques,resulting in state instances,transition relations and state-transition conditions in the FSM.As a result,a generic FSM model is reconstructed from execution trace instances with practical efficiency and provable soundeness.In addition to theoretical description,the engineering evaluation and application of this method is also discussed.

Key words: network protocol, protocol reverse engineering, Finite State Machine(FSM), executable binary

摘要: 网络协议的逆向分析技术无论对可信软件的验证、保护还是对恶意软件机理的分析都具有重要用途。由于协议的内在复杂性,重构与其源程序一致的高级模型对分析尤为有益,其中又以有限状态机模型最为典型。建立一种重构网络协议状态机模型的有效方法,主要依据所记录的协议会话的消息流及协议软件实际执行的指令流,通过对指令流反编译并应用改进的形式分析及验证技术构建出状态对象、转移关系及状态转移条件。该方法从协议的会话实例重构出充分一般的状态机模型,效率可行并具有逻辑上可证明的精确性。在详细阐述理论基础之后,也讨论了该方法的实现和应用。

关键词: 网络协议, 协议逆向工程, 有限状态机, 可执行程序